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Unconditional security of the BB84 quantum key distribution protocol has been proved by exploit¬ 
ing the fundamental laws of quantum mechanics, but the practical quantum key distribution system 
maybe hacked by considering the imperfect state preparation and measurement respectively. Until 
now, different attacking schemes have been proposed by utilizing imperfect devices, but the general 
security analysis model against all of the practical attacking schemes has not been proposed. Here, 
we demonstrate that the general practical attacking schemes can be divided into the Trojan horse 
attack, strong randomness attack and weak randomness attack respectively. We prove security of 
BB84 protocol under randomness attacking models, and these results can be applied to guarantee 
the security of the practical quantum key distribution system. 


Quantum key distribution (QKD) [I| is the art of sharing secret keys between two remote parties Alice and Bob, 
unconditional security of which is based on the fundamental laws of quantum mechanics. The detailed security 
analysis has been proved by applying the entanglement distillation and purihcation (EDP) technology [3, 0 and 
the von Neumann entropy theory (j-l3 respectively. However, unconditional security of the QKD protocol has an 
important assumption, which requires Alice and Bob have random numbers to control the classical bit encoding 
and measurement bases selection, and it can be easily proved that security of the final key can’t be guaranteed if 
input random numbers are controlled or known by the eavesdropper Eve. In recent years, practical QKD system 
was attacked by considering the imperfect state preparation and measurement respectively [7|. More generally, the 
practical attacking scheme can be divided into three different types. The first type is considering the Trojan horse 
attack [^, where the signal state combining with the trojan horse state can be assumed to be high dimensional state 
modulation. Note that Eve can measure one dimension of the modulated high dimensional state to get all of the secret 
key information without being discovered, thus Alice and Bob should apply the dimension filter (such as wavelength 
filter) to avoid this attack. 

The second type is the strong randomness attack, which considers some of the input random numbers are totally 
controlled by the eavesdropper Eve. Such as the multi photon state can be attacked by applying the photon number 
splitting (PNS) attack where the multi photon encoding quantum states can be assumed to be known by Eve. 

Another example is the detector blinding attack [ll|, [i3| j where Eve can easily mount the man-in-the-middle (MITM) 
attack by converting the avalanche photodiodes (APDs) into linear mode. The detectors have the count iff Bob’s 
bases selection is equal to Eve, which means that the bases selection in Bob’s side are controlled by Eve. Recently 
we propose the probabilistic blinding attack model [l3|, where Eve partly applies the blinding attack to avoid being 
catched by detecting the current parameter. In the strong randomness attack model, the final secret key rate should 
delete all of the counting events known by Eve. The GLLP secret key rate and the decoy state method [IM3 
can be assumed to delete all of the multi photon pulse counting result, and only the single photon counting event 
can generate the final secret key. While the probabilistic blinding attack can be assumed to delete all of the blinding 
counting results, and only the non-blinding counting event can generate the hnal secret key. In the strong randomness 
attack model, the previous secret key rate [l^ formula can be modified to 

R>pS{a\E)-fh{e), (1) 

where p is the probability of valid counting result, which can’t be controlled by Eve. a is Alice’s measurement 
outcomes, E is Eve’s auxiliary quantum system, S{a\E) = S{a,E) — S{E) is the conditional von Neumann entropy, 
which demonstrates Eve’s uncertainty about Alice’s key bit a. e is the practical bit error rate, h{e) = —elog 2 & — (1 — 
e)/o(j' 2 (l — e) is the classical Shannon entropy function, / > 1 is the error correction efficiency. If we consider the PNS 
attack, p can be illustrated by the single photon counting rate, S{a\E) can be estimated by the single photon error 
rate. 

The third type is the weak randomness attack, which considers input random numbers are partly controlled by Eve 
M- Such as the wavelength dependence about the beam splitter will introduce the wavelength attack [23|, where 
Eve can apply different wavelengths to control Bob’s bases selection. Since the practical beam splitter and different 
wavelengths may only have partial correlation, which means the beam splitter coupling ratio can’t reach 0 and 1 
with two different bases, thus Eve can only partly control bases selection. Another example is the time shift attack 
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[2l|, where Eve controls the APDs detection efficiency by controlling the photon arriving time, thus Eve has the 
advantage to guess the measurement outcomes. Since the practical time shift attack will introduce nonzero error rate, 
the classical bit encoding can be assumed to be partly known by Eve correspondingly. 

Now, the Trojan horse attack can be avoided by applying the dimension filter before the state modulation and 
measurement, which can be used to prevent Eve’s Trojan horse light. The strong randomness attacking model has 
also been analyzed by applying the strict post processing, where we only need to precisely estimate p and S{a\E). 
However, the weak randomness attacking model has not been analyzed until now. In this work, we prove security of 
the practical QKD system with weak input random numbers, which can affect the classical bit encoding and bases 
selection respectively. We give two security analysis models, the first is based on one post processing step, where 
all of the measurement outcomes should be applied one time error correction and privacy amplification. While the 
second is considering two post processing steps, where the measurement outcomes in two bases should be applied 
post processing respectively. If we only consider bit encoding weak randomness, two different methods can get the 
same secret key rate. But, if we consider the bases selection weak randomness, the analysis result show that two 
post processing steps can generate much more secret key. Our analysis models can be applied in several attacking 
schemes, such as the wavelength attack and the time shift attack. Combining with the previous three attacking 
models, security of the practical QKD system can be evaluated completely. Thus, our analysis result can be applied 
to estimate security of the practical QKD system, which can be employed to build the practical QKD system security 
standardization. 

BB84 QKD protocol with weak randomness - In the BB84 protocol, there are two binary input bits xi and xq 
in Alice’s side, which can be used to select the state preparation bases and encoding classical bits respectively. While 
the state measurement side Bob needs one binary input bit y to select the measurement basis. After the quantum 
state preparation and measurement, Alice and Bob should apply the bases sifting process to save the same bases case 
{xi = y). Thus, in the security analysis model, the input randomness can be divided into two sets, the first set can 
be used to decide the encoding classical bit selection xq, while the second set can be used to decide the encoding and 
decoding bases selection xi (or y). Since Alice and Bob should publicly compare xi and y to save the same value, we 
can only consider Eve has partial knowledge about the bases selection xi before the state measurement, the security 
analysis model can be simplified correspondingly. Thus we can only assume weak random numbers xg and xi to 
control the encoding classical bit and bases selection respectively, the detailed analysis model is given in Fig. 1. 
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FIG. 1: Weak randomness QKD model, where xo decides the encoding classical bit, xi decides the encoding bases selection, y 
decides the measurement bases selection. In the weak randomness QKD model. Eve has the advantage to guess the classical 
bit encoding xq and the basis selection xi. 

In the weak randomness model, the weak random numbers Xg and Xi can be controlled by two different sets of 
hidden variables Aq and Ai as the following equations, 


pM = EiP^o=iP(xol^o = i), 

P(xi) = EjPAi=iP(a;i|Ai =j), '' 

where Aq and Ai are hidden variables controlled by Eve, p(xg = 0) is the probability that Alice encodes classical 
bit 0, while p(xg = 1) = 1 — p(xg = 0) is the probability that Alice encodes classical bit 1. Similarly, p(xi = 0) 
is the probability that Alice applies the rectilinear encoding basis, p(xi = 1) = 1 — p(xi = 0) is the probability 
that Alice applies the diagonal encoding basis. Note that two sets of hidden variables Aq and Ai should satisfy 
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^iP\o=i = ^iPXi=j = 1- However, even if the practical experimental realization can observe p{xo) = — and 
1 ^ 1 2 
p(xi) = - respectively, we still can’t guarantee p(a;o|Ao = i) = p(a:i|Ai = j) = ^ ^or arbitrary hidden variables Xo = i 

and Ai = j. Thus, the the aforementioned security analysis model based on perfect random input numbers can’t be 
satisfied directly, we need to estimate the randomness deviation for arbitrary hidden variables. The practical weak 
randomness model is given by 


|p(a:o|Ao = i) - 7;\ < so, 

i 

b(a;i|Ai = j) - 2 I ^ 


(3) 


where 0 < eo,ei < 2 ’ = 0 (ei = 0) is the perfect random number case, which means that Eve has no prior 

knowledge about the classical bit selection (bases selection). While ^ (^i = ^) means Eve previously knows the 
classical bit selection (bases selection), in which case Alice and Bob can’t generate any secret key even if they can 
observe p{xo) = - {p{xi) = -). 

One-step post processing method - By considering the given hidden variable Aq = i, we apply the EDP 
technology to illustrate the practical state preparation as the following equation, 


|t/?)Ao=i = \/Ray(^li|A()^7)|00) + A/p(ay(^T|A((^7)|ll), (4) 

where Alice encoding the classical bit 0 with probability p{xo = 0|Ao = i), and encoding the classical bit 1 with 
probability p{xo = l|Ao = t) = 1 — p{xo = 0|Ao = i). By considering the given hidden variable Ai = j, Alice prepares 
the quantum state in the rectilinear basis with probability p{xi = 0|Ai = j), and prepares the quantum state in the 
diagonal basis with probability p{xi = l|Ai = j) = 1 — p{xi = 0|Ai = j), thus the final quantum state preparation 
under the Pauli quantum channel is 


PAB,,=Eu,v9u,v{p{xi=0\\l=j)I(^X^Z-\^){^\x,=iZ-X^(^I+ 

p{xi = l|Ai 


(5) 


where u,v £ {0,1}, H = is the Hadmard matrix, ^ = !> <Zo,o is the probability that Eve applies 

identity operation I = , go.i is the probability that Eve applies phase error operation Z = ^ is 

the probability that Eve applies bit error operation X = qi 1 is the probability that Eve applies bit phase 


error operation XZ. Since Alice’s state preparation is restricted in the two dimensional Hilbert space, we can prove 
the final secret key rate under the Pauli quantum channel. Thus, the quantum bit error rate and phase error rate 
introduced by Eve can be respectively given by 


e&/t = {h\PABi^ 102) + (04|pAiJy 104), 
^phase = (03|p.4By 103) + (04104), 

where 

|0i) = ^(|OO) + |ll)), 

I02) = ^(|O1) + |1O)), 

|03) = ^(|OO)-|11)), 

|04) = ^(|O1)-|1O)). 


( 6 ) 


( 7 ) 
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For arbitrary hidden variable Aq = i and Ai = j, upper bound of the phase error rate can be estimated by 

applying the bit error rate and the randomness deviation parameters, 


^phase ^bit 




i\ 




: l) - 

-Y 

2’ 

+ ^J< 7 oo 




= i) 

1 

NO 1 \ 




~ 2 

)^ + j)<In 




){\ 


l-{p{xo = 

0 

0 

II 

I, 

" 2 ' 

’’ + 5) 



l-{p{xo = 

0 

> 

0 

II 

I, 

~ 2 ' 



qoi 

qio 


(2 ~ ^“^0 + 4)'1'00 + (2 “ ^“^0 + 4)'2'ii + 2 eigoi + 2 eigio 


< max 

= S, 


//I 


((2 ~ ) 

/-eo + -), 2 ei) 


( 8 ) 


where we apply goo + 9ii < 1) 9oi + <Zio < 1 and ^ qu,v = 1 in the previous calculation. By applying the EDP 
technology, the final secret key rate with given hidden variables \q = i and Ai = j is 
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In the practical experimental realization, we can only observe the practical quantum bit error rate Cba = 
'^i jP\o=iP\i=jG]lifi the final secret key rate with given quantum bit error rate Cbu can be given by 


> EiyPAo=iPAi=ifl - HepLse) - Ke'm)) 

> E*yPAo=iPAi=i(l - + d) - h{e];lS) (10) 

> 1 - h(^J2i,jP\o=iP>~i=jebit + < 5 ) - h(^J2i,jP\o=iP\i=jeMt) 

— 1 h(^€-bit “t“ ^ip-bit) ^ 

where we apply the concavity property of the Shannon entropy function in the previous calculation. By implementing 
the security analysis result, we calculate the secret key rate R with given randomness deviation parameters eo and ei 
in Fig. 2. The calculation result demonstrates that the bases selection weak randomness decrease the final secret key 
rate more obviously comparing with the classical bit encoding weak randomness. 

Two-step post processing method - In the previous weak randomness model, the input random numbers 
maybe controlled by the hidden variables Aq and Ai. Since there are two different bases selection (diagonal basis and 
rectilinear basis) and two different classical bit encoding (0 and 1), we can simply assume Aq and Ai have two different 
values {0,1} respectively. 

In the practical experimental realization, we can only observe the classical bit encoding probability p{xq) = 

PAo=op(a;o|Ao = 0) + pAo=ip(a;o|Ao = 1), but p{xo) = - can’t guarantee p(xo|Ao = 0) = p(a;o|Ao = 1) = 2 ’ 
detailed classical bit deviation model is given in Fig. 3. Similarly, we can also only observe the bases selection 
probability p(a;i) = PAi=oP(a^i|Ai = 0) + PAi=ip(a;i|Ai = 1), but the observed probability p(xi) = - can’t guarantee 

p(a;i|Ai = 0) = p(xi|Ai “ 1) “ detailed bases selection deviation model is given in Fig. 4. The practical 

quantum state preparation is given by 


PAB ^2\iP^iP{^i P^oPABzxq P^iPi^i ll’^l) X)ao I^AoPaIBxxq ; (H) 


pabz., = Eu. qu,vi 0 X^z^\p){p\x,z-X^ 0 /, 

PaBx.o = E„.„ qu,vl 0 HX^Z-H\^){^\x,HZ-X^H ® I. 


where 
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FIG. 2: Secret key rate with different quantum bit error rate value, where the blue solid line is no randomness deviation case, 
the green dash line is considering eo =0.1 and ei = 0, the red dotted line is considering eo = 0 and ei =0.1 with two-step 
post processing method, the red dash dotted line is considering eo = 0 and ei =0.1 with one-step post processing method. 
Comparing with the one-step post processing method, two-step post processing method can generate much more secret key 
with given basis selection randomness deviation, this is because we can get more precious phase error estimation in the two-step 
post processing method. 
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FIG. 3: The classical bit encoding xo is controlled by the hidden variable Ao, different Ao values have different classical bit 
encoding probability p(a;o|Ao). 


For given hidden variables Aq and Ai, the difference between the phase error rate in the rectilinear basis and bit error 
rate in the diagonal basis can be given by 


lepAoAiO - efeAoAiil < 2 “ Y “^0 + ^' 

where CpAoAiO = {h\PABz^J4>3) + {MPABz^^\(t>i), ehAoAii = {(t>2\pABxxa\4>2) + {(l>A\pABxxMi)- Similarly, The dif¬ 
ference between the phase error rate in the diagonal basis and bit error rate in the rectilinear basis can be given 
by 


lepAoAii - ebAoAiol < 2 “ Y 4’ 

where CpAoAii = l^s) + (</'4|PaIBxao l</>4), CbAoAiO = {(t>2\PABz>,„\(t>2) + {(t>i\PABz>^„\(t>i)- By Considering 

SpAiO = {(t>z\Y.\oP>'oPABzxo\4'^) + {(t>A\Y.\oP\oPABzxo\4'i) = Saq P-^oepAoAiO and CfeAil = ('i^’21 Saq + 
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FIG. 4: The basis selection deviation is controlled by the hidden variable Ai, different Ai value has different basis selection 
probability p(a:i|Ai). For given hidden variable Ai = 0, Cboo and Choi are bit error rates introduced in the rectilinear basis and 
diagonal basis, while Cpoo and Cpoi are phase error rates introduced in the rectilinear basis and diagonal basis respectively. For 
given hidden variable Ai = 1, 6510 and 6511 are bit error rates introduced in the rectilinear basis and diagonal basis, while epio 
and Bpii are phase error rates introduced in the rectilinear basis and diagonal basis respectively. 


{4>A Sao P^oPABxxq \4>i) = Sao PAoSf'AoAii, we calculate the difference between the phase error rate epAiO and the bit 
error rate ef,Aii 


ICpAiO - CbAill = I - ebAoAil)! 

— ^Ao P^o IebAoAi 1 



Similarly, the difference between epAii and CbAiO is 


|epAil - CbAiol < 2 



(15) 


(16) 


The probability of getting the rectilinear basis and diagonal basis measurement outcomes in Bob’s side can be 
respectively given by 


Prec — Precl ff Prec2: Pdia — Pdial ff Pdia2i (i^^) 

where Precl = P\i= 0 Pixi = 0|Ai = 0), Prec2 = Pxi = ipixi = 0|Ai = 1), Pdtal = PXi= 0 PiXl = l|Ai = 0), Pdia2 = 
PXi=iPixi = l|Ai = 1). The phase error rate in the rectilinear basis and diagonal basis can be respectively given by 


^recpha — 


^diapha — 


Precl^pOO Prec2^pl0 ^ Precl^bOl “1“ Prec2^bll ^ 1 
Prec Prec 2 

Pdial^pQl “t“ Pdia2^pll ^ Pdial^bOO Pdia2^bl0 ^ 1 




Pdia 


Pdia 


(18) 


::: ~ \ + T- 


The bit error rate in the rectilinear basis and diagonal basis can be respectively given by 

_ Precl^bOO 4“ Prec2^bl0 ^ Pdial^bOl 4“ Pdia2^bll 

^recbit — ^^diabit — 


Pre 


Pdia 


(19) 


By applying the two-step post processing method with the two different bases measurement outcomes, the final secret 
key rate can be given by 


R ^ Prec(l hi^Crecbit) h(^6recpha)') 4“ Pdia{^ ^{pdiabit) h(^6diapha)') ^ 


(20) 
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where the first part is the secret key generated by the rectilinear basis, while the second part is the secret key generated 
by the diagonal basis. The corresponding secret key rate R with different quantum bit error rate values is given in 
Fig. 2, the calculation is based on the nonlinear optimization method with given quantum bit error rate, the detailed 
explanation is in the methods. To explain our analysis result, we compare the two analysis methods by considering 
the wavelength attack has the coupling ratio 0.4 and 0.6 with different wavelengths. If the observed quantum bit 
error rate is 0.02, one-step post processing method can generate the secret key rate 0.0984, while the two-step post 
processing method can generate the secret key rate 0.6642. 

Methods- By considering Eve’s arbitrary attacking scheme, the final secret key rate with two different bases can 
be calculated with the following optimization method 


AliniinizC . Preci^^ ^(Crecbzi) h(^6recpha')') Pdia(^^ ^i^^diapha')') 

Subject to : p\o=o + p\o=i = PAi=o + P\i=i = 1 

p{xo = 0|Ao) +p{xo = l|Ao) =p{xi = 0|Ai) +p{xi = l|Ai) = 1 

0 < CboOi Cboi, Cbio, ef,ii,_PAo=0iPAi=O < 1 

|p(xo|Ao = i) - -| < eo 

1 

b{a;i|Ai = j) - - I < £1 


IcpAiO - ChAiil - 2 “ y 4 

ICpAil - ChAiol - 2 ~ ^“^0 + ^ 
Prec Pdia 

Prec^recbit H” Pdia^diabit — Qi 


( 21 ) 


where Q is the quantum bit error rate estimated in the practical experimental realization, p^ec = Pdia = ^ 

bases selection probability observed in the practical experimental realization. 

Conclusion - In this work, security of BB84 QKD protocol again the strong randomness attack and the weak 
randomness attack have been analyzed, which satisfies several practical attacking schemes, such as the photon number 
splitting attack, detector blinding attack, wavelength attack and time shift attack. We demonstrate that security of 
the practical QKD system can be evaluated by respectively considering the Trojan horse attack, the strong randomness 
attack and the weak randomness attack, and the three attacking models can be employed to build the practical QKD 
system security standardization in the future. 
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